2 Answers
2

The mail your customer is receiving is called backscatter. Simply knowing that people call it that might help your Google searches for potential fixes. Here's a ruleset for SpamAssassin that might help.

The other main thing that can be done to prevent backscatter is to publish SPF records for your customer's domain. The format is detailed at the OpenSPF project's website, but in essence you publish through the DNS a list of servers that are authorized to send mail from your customer's domain, and then make it clear that no others are permitted to do so (-all).

It's up to the recipient to check the SPF records before accepting a spam forged as coming from your customer's domain, but many do, and a hard failure (-all) will cause those recipients to reject the incoming email before it ever gets as far as making a bounce message.

I found that publishing SPF records for my domains immediately cut the backscatter by a big fraction - perhaps 65%? - and it fell much further over time, probably because intelligent spammers will avoid picking fake-sender domains that are going to be instantly rejected by mailservers with clue.

When I began receiving backscatter, I setup SPF records. Backscatter dropped significantly, and use of the domain for Spma stopped. I also setup an email alias for the problem userid and forced a failure on it. After years the userid still receives occasional spam addressed to it.
–
BillThor Apr 8 '11 at 14:29

I already have SPF records which only permit email from my outbound gateways and deny the rest - but thanks.
–
E.BenoîtApr 10 '11 at 7:17